This is not true. If you read the S/MIME specs it says one MUST implement the RC2/40 algorithm. A MUST in an RFC has a very definate purpose: If an aplication does not implement all MUST sections of the RFC then it is not compliant! To create an S/MIME compliant application one MUST implement RC2/40 and one MUST pay RSA to do so!! Umm.... If you read what I wrote, you will see that I said "S/MIME DOES implement 40 bit RC2, but it ALSO implements XXXXXXXX. Personally, I'd rather see even weak crypto getting world-wide deployment than seeing no crypto getting out because of stupid draconian export laws. However much you may dislike their "weak crypto", Netscape and Microsoft are getting more seats of crypto-compliant software out there than PGP ever has. And once the infrastructure is out there where everyone can use weak crypto, people will (hopefully) realize that it is insecure, and shift to stronger algorithms that ARE supported currently in domestic US/Canada versions, and which I'm sure someone outside of the States will have coming out in the near future, if they're not already there. Netscape, Microsoft, and RSA are letting thier greed get in the way of developing a message encryption protocol that provides strong crypto to ALL users. Either that, or Netscape, Microsoft, and RSA are being practical and doing something that will legally put SOME cryptography in the hands of everyone today. It's all in how you look at it. ian